What is the best method to restrict CA ACF2 users who have a blank UID and no TSO privileges from accessing the mainframe via FTP?